Search squid archive

Re: ssl_bump newbie troubles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21 April 2016 at 00:11, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 04/20/2016 02:22 PM, Odhiambo Washington wrote:

> All I want is the ability to intercept SSL sites and control access to
> them using TIME ACLs. That's all.

I will assume that your definition of a "site" is "domain name".

Yes.
 

> So in simple:
> 1. UserX tries to access facebook.com/youtube.com
> 2. I intercept transparently https traffic
> 3. I tell squid "don't allow this user to access facebook.com
>  at this time, but let them access at some-other-time
> 4. If time is right, let userX access the site.

> So looks like all I need is a setup of passive monitoring, given my
> explanation above, right?

The answer depends on what you want Squid to do when access is not
allowed. If you are OK with terminating the prohibited connection (no
error messages explaining company policy sent by Squid to your users!),
then yes:

  ssl_bump terminate restricted_sites
  ssl_bump peek all
  ssl_bump splice all


What I would like is:

1. that squid is able to 'see' that userX is trying to visit https://www.facebook.com
2. but at that particular time (time ACL) userX is not allowed to go to facebook.com, so squid denies access, throws a default error on their browser
3. However, userY has unrestricted access to anywhere at all times so squid allows the user to proceed. 
The time logic is already built in squid.conf. All that remains is just intercept https traffic and let the time acls decide whether or not a user can get there..


So allow me to ask: in ssl_bump terminate restricted_sites,  I am lost as to what restricted_sites represent.

If my squid.conf matters, I have it here: http://goo.gl/vA6nrB. All I want is to restrict/control (using time) access to TIMEWASTAGESITES :-)
I do not need to bump at all.

(My English could be my undoing here :-))

Thanks for your patience in baby-sitting me.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux